[JBoss JIRA] (JBIDE-26869) CRC server adapter: OpenShift connection that is created is unusable at times
2:29 a.m.
[
https://issues.jboss.org/browse/JBIDE-26869?page=com.atlassian.jira.plugi...
]
André Dietisheim updated JBIDE-26869:
-------------------------------------
Comment: was deleted
(was: Digging further I found out the following: when this happens, the request to
retrieve the token via the REST service fails with a 403 while when done via the Web-Site
URL things work properly.
It thus looks to me as if in these failure cases, CRC didnt start up correctly, portions
failed to come up.
To solve this issue we should use the full url that's reported as authentication
endpoint. The client library currently maps the host portion to the known REST service
host.
In full details:
In the client library we retrieve the authorization endpoint via the unprotected url
*<REST-service-host>/.well-known/oauth-authorization-server*. We then get the
following json:
{code}
{
...
"authorization_endpoint":
"https://oauth-openshift.apps-crc.testing/oauth/authorize",
...
{code}
The REST client then only uses the path and replaces the host with the one of the known
REST-endpoint (*<REST-service-host>/oauth/authorize* instead of
*oauth-openshift.apps-crc.testing/oauth/authorize*).
The client requests:
{code}
curl -k -v
"https://api.crc.testing:6443/oauth/authorize?response_type=token&client_id=openshift-challenging-client"
{code}
and gets an error:
{code}
< HTTP/2 403
< audit-id: 4416d6ab-5f0a-4bab-b5b3-507e9a6aa319
< cache-control: no-cache, private
< content-type: application/json
< x-content-type-options: nosniff
< content-length: 248
< date: Fri, 25 Oct 2019 20:43:11 GMT
<
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "forbidden: User \"system:anonymous\" cannot get
path \"/oauth/authorize\"",
"reason": "Forbidden",
"details": {
},
"code": 403
{code}
Re-requesting won't help, you always get the same error back.
In 8/10 cases in crc and on all online variants this works just fine and wont report an
error.
If you instead then use the host that's provided in the json and request
{code}
curl -k -H "X-CSRF-Token:1"
"https://oauth-openshift.apps-crc.testing/oauth/authorize?response_type=token&client_id=openshift-challenging-client"
-v -H "X-OPENSHIFT-AUTH-ATTEMPTS: 1" -H "Authorization: Basic
ZGV2ZWxvcGVyOmRldmVsb3Blcg=="
{code}
You get the token via the following response:
{code}
< HTTP/1.1 302 Found
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Expires: 0
< Expires: Fri, 01 Jan 1990 00:00:00 GMT
< Location:
https://oauth-openshift.apps-crc.testing/oauth/token/implicit#access_toke...
< Pragma: no-cache
< Pragma: no-cache
< Referrer-Policy: strict-origin-when-cross-origin
< Set-Cookie:
ssn=MTU3MjAzNTQxOHxSZ2N0YXNjZENEMGx2Qk9zTHBidDZQQzIwU3kwMnNjMEh3VGRwTk5GcmRqemFEaXV0M0lnOW5wMmR1bUV3cjE1RUdYU1h3NXZKMWhiRDVtczFqcTJUY2I2MEQyVDI0RWNEc1I0U1k1UjlVT2pWV3hFcGREOFZIajBqWHlLbWo3OHduU0xXeGJzSmZIbG5reEpabUJqTDVOcy1oQkFMSGxHQXc9PXzPAWZ_kLR1ZzE8gHpjwIrj8y_enudtAwsN09vQGToCCw==;
Path=/; HttpOnly; Secure
< X-Content-Type-Options: nosniff
< X-Dns-Prefetch-Control: off
< X-Frame-Options: DENY
< X-Xss-Protection: 1; mode=block
< Date: Fri, 25 Oct 2019 20:30:18 GMT
{code}
The token is in the *Location* header (access_token=).
)
CRC server adapter: OpenShift connection that is created is unusable
at times
-----------------------------------------------------------------------------
Key: JBIDE-26869
URL: https://issues.jboss.org/browse/JBIDE-26869
Project: Tools (JBoss Tools)
Issue Type: Bug
Components: openshift
Affects Versions: 4.13.0.AM1
Environment: CRC Beta5
Reporter: André Dietisheim
Assignee: André Dietisheim
Priority: Critical
Fix For: 4.13.0.Final, 4.14.0.AM1
Attachments: crc-connection-error.mp4, start-crc-error-openshift-conn.mp4
*Steps* - not reproducibe at 100%, happens from time to time:
# ASSERT: have ~/.crc folder killed
# EXEC: create new CRC server adapter & Start it
# ASSERT: OpenShift connection is created
*Result:*
Connection fails to authorize, reports that it cannot access resources using
system:anonymous. Refreshing the connection doesn't help, so it's apparently not a
timing issue (ex. creating the connection before the cluster is fully up and running)
{code}
com.openshift.restclient.authorization.ResourceForbiddenException: forbidden: User
"system:anonymous" cannot get path "/oauth/authorize" forbidden: User
"system:anonymous" cannot get path "/oauth/authorize"
at
com.openshift.internal.restclient.okhttp.ResponseCodeInterceptor.createOpenShiftException(ResponseCodeInterceptor.java:111)
at
com.openshift.internal.restclient.okhttp.ResponseCodeInterceptor.intercept(ResponseCodeInterceptor.java:66)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:112)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:87)
at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.kt:184)
at okhttp3.RealCall.execute(RealCall.kt:66)
at
com.openshift.internal.restclient.okhttp.OpenShiftAuthenticator.tryAuth(OpenShiftAuthenticator.java:109)
at
com.openshift.internal.restclient.okhttp.OpenShiftAuthenticator.authenticate(OpenShiftAuthenticator.java:62)
at
okhttp3.internal.http.RetryAndFollowUpInterceptor.followUpRequest(RetryAndFollowUpInterceptor.kt:213)
at
okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:102)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:112)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:87)
at
com.openshift.internal.restclient.okhttp.ResponseCodeInterceptor.intercept(ResponseCodeInterceptor.java:55)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:112)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:87)
at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.kt:184)
at okhttp3.RealCall.execute(RealCall.kt:66)
at com.openshift.internal.restclient.DefaultClient.request(DefaultClient.java:315)
at com.openshift.internal.restclient.DefaultClient.execute(DefaultClient.java:307)
at com.openshift.internal.restclient.DefaultClient.execute(DefaultClient.java:275)
at com.openshift.internal.restclient.DefaultClient.execute(DefaultClient.java:243)
at com.openshift.internal.restclient.DefaultClient.execute(DefaultClient.java:226)
at com.openshift.internal.restclient.DefaultClient.get(DefaultClient.java:423)
at
com.openshift.internal.restclient.authorization.AuthorizationContext.isAuthorized(AuthorizationContext.java:63)
at org.jboss.tools.openshift.core.connection.Connection.authorize(Connection.java:237)
at org.jboss.tools.openshift.core.connection.Connection.connect(Connection.java:226)
at
org.jboss.tools.openshift.internal.crc.server.core.listeners.ConfigureCRCFrameworksListener.configureOpenshift(ConfigureCRCFrameworksListener.java:102)
at
org.jboss.tools.openshift.internal.crc.server.core.listeners.ConfigureCRCFrameworksListener.configureFrameworks(ConfigureCRCFrameworksListener.java:73)
at
org.jboss.tools.openshift.internal.crc.server.core.listeners.ConfigureCRCFrameworksListener$1.run(ConfigureCRCFrameworksListener.java:66)
at org.eclipse.core.internal.jobs.Worker.run(Worker.java:63)
{code}
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
2354
days inactive
2354
days old
jbosstools-issues@lists.jboss.org
0 comments
1 participants
participants (1)
-
André Dietisheim (Jira)